Hello,
Am Samstag, 21. Mai 2016, 10:31:22 CEST schrieb Andrei Borzenkov:
> 21.05.2016 05:59, Reindl Harald пишет:
> > Am 20.05.2016 um 21:50 schrieb Christian Boltz:
> >> systemctl restart foo
> >>
> >> is internally mapped to a sequence of
> >>
> >> systemctl stop foo; systemctl start foo
> >
> > what else?
It's a good default, but like every default, there are cases where you
need something different ;-)
> >> Unfortunately, this behaviour causes quite some trouble for me.
> >
> > why?
>
> If you bothered to read URL OP mentioned, you would see one possible
> reason.
I can add my usecase as another reason ;-)
I'm talking about AppArmor, where "stop" means unloading the profiles
from the kernel. The result is that all AppArmor confinement is removed
from all running processes.
"start" means loading the profiles and applying the confinement to _newly
started_ profiles.
This also means that _already running_ processes won't be (re)confined [1],
which translates a small typo done by the admin ("systemctl restart
apparmor" instead of "systemctl reload apparmor") to leaving lots of
processes unconfined and turns that accidential use of "restart" into a
security risk.
This is why I need to override the "restart" behaviour so that it
reloads the profiles while keeping running processes confined.
The easiest solution would be an ExecRestart= directive in the service
file, but unfortunately this isn't available.
Actually, searching for "systemd ExecRestart" brings up that I'm not
the first one asking for it, see for example
https://lists.freedesktop.org/archives/systemd-devel/2012-November/007595.html
and https://techdetails.agwego.com/2013/06/07/227/
A possible alternative would be to use
ExecStop=echo "broken by systemd. If you really want to stop AppArmor,
please use $newly_invented_command"
I'd really like to avoid this ;-) but it's probably better than silently
making the system insecure by an accidently typed "restart".
> >> I need a way to know if "restart "or "stop" was used because the
> >> mapping to stop / start gives my service a completely different
> >> behaviour than expected on restart.
> >>
> >> Is there a way to find out if "stop" or "restart" was used?
> >
> > if you need to differ here your service is broken by design - why do
s/broken by design/different/ - or s/your service/systemd/ (choose yourself!)
Please don't judge on something that hard just because it doesn't work
the way you expect ;-)
> > you need to kow what triggered stop and what else do you imagine
> > for "restart" then stop-start?
See above.
> I am curious how you implement "systemctl daemon-restart" using only
> plain "stop systemd" followed by "start systemd".
Yeah, good question. I'm also interested in the answer ;-)
Regards,
Christian Boltz
[1] According to the AppArmor developers, changing this behaviour in
the kernel so that already running applications get (re)confined is
close to impossible due to various reasons.
Details on request, but I know them (and AppArmor) good enough to
believe in this statement.
--
* cboltz wonders if jjohansen already regrets
calling me "a devs walking nightmare"
<jjohansen> cboltz: no it still fits :P
[from #apparmor]
_______________________________________________
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel
